Securing Containers vs. Securing VMs: 4 Key Differences
June 05, 2017

Ben Bernstein
Twistlock

If you work in IT or software development, chances are you're familiar with container technology. Over the last few years, containerization has gained mainstream adoption and a recent 451 report showed that 25 percent of companies are using the technology. Developers love using containers to build, run and ship applications in a flexible and simple way. However, the technology has received backlash for not being as secure as other (traditional) methods, such as Virtual Machines (VMs).

It's easy to bucket containers and VMs together as these technologies are both designed to provide an isolated environment in which to run an application. Therefore, they are often perceived to the public as competing, but in reality, they are complementary and completely different.

Securing containers and securing VMs requires a completely different process. Below are four key differences between securing containers versus securing VMs:

1. Many more entities

Statistics show, that containerized environments typically consist of roughly 1:8 VM to container ratio. While this isn't exact math, it correlates with a known difference between VMs and containers, which is the underlying architecture. With containers, there are multiple entities that make up an application. The applications can then be deconstructed into smaller components thus changing the way they are secured and managed in production.

2. Stateless and immutable

If you're wondering how to backup your container, the answer is simple — you can't. Data doesn't live in the container, instead, it's stored in a named volume that is shared between 1-N containers that the developer defines. Containers run in an immutable fashion, so once the developer backs up the data volume or deploys the container, they will then destroy it. The developer can then redeploy a new version of the image with the upgrade to the application.

This allows security teams to have a greater degree of automation and discover what the application should do, and how to build an application protection profile that's specifically tailored to that version of the app.

3. High rate of change, much more ephemeral

When DevOps teams work together within a containerized environment, build times are reduced from months to hours. Through this continuous integration, applications are constantly being altered and updated — sometimes multiple times a day. This rate of change is much faster than working in a VM environment — empiric data shows that a typical container churns 9 times faster than VMs.

What's even more impressive is that when used correctly with orchestrations, the typical lifetime of a container is less than one day. However, when there are frequent updates in a containerized environment, it can be difficult from a security standpoint to monitor each app iteration as closely as preferred. Therefore, it's critical for dev and security teams to work cohesively and set up proper tooling that will monitor the application lifecycle for any threats.

4. Security is largely in the hands of the developer

In a containerized environment, the developers and DevOps teams are mostly responsible for ensuring and maintaining a secure application. The developers determine how most of the application stack is configured, while the DevOps team is in charge of securing the delivery pipeline, staging, orchestration and the containers' host. Alternatively, in a VM environment, the process is simple and beyond the code, security is owned on a daily basis by the IT team.

4. Security is largely in the hands of the developer

In a containerized environment, the developers and DevOps teams are mostly responsible for ensuring and maintaining a secure application. The developers determine how most of the application stack is configured, while the DevOps team is in charge of securing the delivery pipeline, staging, orchestration and the containers' host. Alternatively, in a VM environment, the process is simple and beyond the code, security is owned on a daily basis by the IT team.

Ben Bernstein is CEO and Co-Founder of Twistlock.

Share this

Industry News

December 03, 2024

SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.

December 03, 2024

Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.

December 03, 2024

CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.

December 03, 2024

Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.

December 02, 2024

Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.

December 02, 2024

Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.

December 02, 2024

Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.

December 02, 2024

Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).

December 02, 2024

Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.

December 02, 2024

iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.

November 26, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).

November 26, 2024

Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.

November 26, 2024

Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.

November 26, 2024

Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).